202
edits
Sandbox/OS X Rule Set: Difference between revisions
Explaining default deny and logging.
Haftandilian (talk | contribs) (Fix macosMinorVersion description.) |
Haftandilian (talk | contribs) (Explaining default deny and logging.) |
||
| Line 59: | Line 59: | ||
Don't enable any sandbox for Mac OS X 10.8 and earlier OR if the sandbox-level is less than 1. The rest of the policy only applies for 10.9 later when sandbox-level >= 1. | Don't enable any sandbox for Mac OS X 10.8 and earlier OR if the sandbox-level is less than 1. The rest of the policy only applies for 10.9 later when sandbox-level >= 1. | ||
|- | |- | ||
| | |<pre style="border:none;"> | ||
<pre style="border:none;"> | |||
" (begin\n" | " (begin\n" | ||
" (deny default)\n" | " (deny default)\n" | ||
</pre> | |||
|| | |||
By default, we deny. i.e., for any capability not explicitly allowed here, do not allow it to be used. | |||
|- | |||
| | |||
<pre style="border:none;"> | |||
" (debug deny)\n" | " (debug deny)\n" | ||
"\n" | "\n" | ||
</pre> | |||
|| | |||
For any rule that causes an action to be denied, log something in system.log. These log entries are easily viewed using the OS X "Console" application and filtering on "sandbox". | |||
|- | |||
|<pre style="border:none;"> | |||
" (define resolving-literal literal)\n" | " (define resolving-literal literal)\n" | ||
" (define resolving-subpath subpath)\n" | " (define resolving-subpath subpath)\n" | ||
" (define resolving-regex regex)\n" | " (define resolving-regex regex)\n" | ||
</pre> | |||
|| | |||
Shortcut macros. | |||
|- | |||
|<small> | |||
<pre style="border:none;"> | |||
" (define container-path appPath)\n" | " (define container-path appPath)\n" | ||
" (define appdir-path appDir)\n" | " (define appdir-path appDir)\n" | ||